Crypto Fails
Showcasing bad cryptography. Archive Ask Crypto Questions About Reasoning by Lego: The wrong way to think about cryptography. Scott Arciszewski from Paragon Initiative pointed me to this example of PHP cryptography. The code is bad and the crypto design is flawed, but as usual for this blog, we can learn something from it. Let’s ignore the fact that it’s using MCRYPT_RIJNDAEL_256 (the 256-bit block version of Rijndael, not AES) instead of MCRYPT_RIJNDAEL_128 (real AES), the fact that it’s not checking the return value of substr(), and the fact that it’s passing a hexadecimal-encoded key to a function that expects a binary string. I’ve covered all of these failings on this blog before, so I won’t touch on them again. Instead, let’s focus on two facts. First, it is doing “MAC then Encrypt” (MtA), which means the Message Authentication Code (MAC) is being applied to the plaintext message before encryption – contrary to modern crypto wisdom. Second, that the MAC is checked with a non-timing-safe comparison, which means that if an attacker can get really precise timing measurements of a failed decryption, they can find out how much of the MAC matches. In the “Encrypt then MAC” (EtM) design, where the MAC is applied to the ciphertext after encryption, this kind of a timing leak usually lets you forge a message. But this time, the MAC is inside the ciphertext, encrypted, so at a first glance, exploiting it seems more difficult. Indeed, the issue was brought up
FEATURES
ALTERNATIVES
A PHP 5.x polyfill for random_bytes() and random_int() created by Paragon Initiative Enterprises.
A tool for xor analysis to guess key length and key based on most frequent characters.
A demonstration of a method to delete a locked executable or currently running file from disk.
A utility tool for decrypting data from weak public keys and attempting to recover the corresponding private key, primarily for educational purposes.
A machine learning-based approach to detect and prevent data breaches using natural language processing and machine learning algorithms.
Zui is a desktop app for exploring and working with data, powered by Zed's 'Super-Structured Data' approach.
PINNED
InfoSecHired
An AI-powered career platform that automates the creation of cybersecurity job application materials and provides company-specific insights for job seekers.
Fabric Platform by BlackStork
Fabric Platform is a cybersecurity reporting solution that automates and standardizes report generation, offering a private-cloud platform, open-source tools, and community-supported templates.
Mandos Brief Newsletter
Stay ahead in cybersecurity. Get the week's top cybersecurity news and insights in 8 minutes or less.
System Two Security
An AI-powered platform that automates threat hunting and analysis by processing cyber threat intelligence and generating customized hunt packages for SOC teams.
Aikido Security
Aikido is an all-in-one security platform that combines multiple security scanning and management functions for cloud-native applications and infrastructure.
Permiso
Permiso is an Identity Threat Detection and Response platform that provides comprehensive visibility and protection for identities across multiple cloud environments.
Wiz
Wiz Cloud Security Platform is a cloud-native security platform that enables security, dev, and devops to work together in a self-service model, detecting and preventing cloud security threats in real-time.
Adversa AI
Adversa AI is a cybersecurity company that provides solutions for securing and hardening machine learning, artificial intelligence, and large language models against adversarial attacks, privacy issues, and safety incidents across various industries.